Allasso’s Information Security policies describe how the organization protects its information assets and ensures practices, processes, and controls are implemented to protect information assets created, used, and maintained by Allasso. The primary purpose of Allasso’s Information Security policies is to: • Establish responsibility and accountability for information security in the organization. • Provide an appropriate level of awareness and knowledge to employees to help minimize the occurrence and severity of information security incidents. • Provide governance on how Allasso will review, manage, and approve Information Security policies. • Comply with relevant laws, regulations, and contractual obligations related to information security.
The Information Security Policy Framework serves as the governing body for Allasso’s information security policies, technical standards, standard operating procedures, and guidelines throughout lifecycle to provide continuous protection of Allasso’s information assets.
Information Security policies, procedures, and technical standards shall be reviewed and approved (minimally) annually by the appropriate, responsible departments, and when necessary, the CISO, and the Chief Information Officer (CIO). Any updates or changes to policies, procedures, and technical standards should be communicated to the appropriate audience(s) and include specific language about what has changed and when the change was effective
Information security risks that could compromise the confidentiality, integrity, or availability of Allasso’s information assets including personal data shall be identified, analyzed, and mitigated to an acceptable level to meet business objectives and compliance requirements.
Information Security will periodically review risks. This includes but is not limited to: • Identify key areas of risks (i.e., establish the context for risk-based decisions) • Define risk appetite • Implement mitigation on key risk domains as defined within the mitigation plans. • Monitor risks on an ongoing basis using effective organizational communications and a feedback loop to continuously improve organizations' risk-related activities.
Information Security shall engage with the business to identify potential threats to information assets and advise on potential remediations in a timely manner; leveraging internal and external expertise including by not limited to: • Documenting a list of internal and external threat and attack data sources • Subscribing to third party notification sites and threat feeds for latest threat intelligence • Determining how attack scenarios and threats will be documented
Once all risks have been identified, we determine Allasso's exposure to them, by assessing their financial and/ or reputational impact on the firm (e.g., limited to a single office or firmwide/ global impact.
The agreed magnitude of risk exposure informs the level of mitigation considered to be adequate (i.e., high mitigation for high exposures and low mitigation for low exposures), on a 5-tier scale.
Risks are not static; threats, vulnerabilities, likelihood, or consequences may change abruptly without any indication. Constant monitoring is necessary to detect these changes. This may be supported by external services that provide information regarding new threats or vulnerabilities. Factors that affect the likelihood and consequences of threats occurring could change, as could factors that affect the suitability or cost of the various treatment options. Risk monitoring activities are regularly repeated, and the selected options for risk treatment are reviewed periodically.
Engaging third-party partners to deliver products and/or services enables Allasso to execute its strategies with greater quality and efficiency. However, third-party relationships present unique risks, and Allasso has a security risk assessment program to select and manage its third parties, including cloud service providers. These third undergo a Risk Assessment to ensure these third parties can: • Secure Allasso and Allasso’s clients’ information • Protect Allasso and Allasso’s clients’ privacy • Prevent actions and behaviors that impair Allasso’s brand or reputation • Meet contractual and agreed upon standards of service • Enforce minimum levels of security standards
The Information Asset Management Policy establishes requirements for inventorying, ownership, classifying, and disposing of Allasso’s information assets, which includes both physical and logical assets. This policy defines the controls required to securely manage the asset throughout its lifecycle, from procurement through disposal.
Allasso shall maintain an inventory of its technology assets that includes both hardware and software inventories. All Allasso and Company systems and applications are reflected and maintained on an ongoing basis in a centralized Configuration Management Data Base (CMDB) which describes the asset, who owns it, location information, how it is configured, and how it connects to Allasso’s network infrastructure. The asset inventory should include all information necessary to manage an information asset throughout its life cycle, from creation of the asset through its disposal.
Asset owners are identified for all information assets and the responsibility for maintenance of appropriate controls should be assigned. Some controls may be delegated by the information asset owner, as appropriate, but the owner remains responsible for the management of the information asset.
Data is classified to indicate the sensitivity of information. Based on the classification of information, the associated handling requirements for the data must be followed.
To ensure the confidentiality, availability, and integrity of its information systems, Allasso adheres to a set of controls intended to mitigate risk to these resources. Information systems including but not limited to computer equipment, software, operating systems, collaboration and data storage tools, storage media, network accounts, and applications are the property of Allasso. Allasso’s Acceptable Use policy includes all personnel (including but not limited to): employees, contractors, clients, Allasso alumni, guest users, and third parties) who have an account and use any information, electronic and computing devices, and/or network resources to conduct Allasso and Company business or interact with internal networks and business systems, whether owned or leased by Allasso. Anyone using these systems or data is responsible for exercising good judgment regarding the appropriate use of information, electronic devices, and network resources in accordance with all Allasso policies, standards, local laws, and regulations.
Unless subject to Legal Hold, all types of data (Business, Legal, or Client Data) that exceed the required retention period are destroyed using designated data destruction practices in accordance with data sensitivity. Disposal procedures are designed to avoid accidental disclosure.
When the party to whom the physical technology asset was issued no longer has a relationship with the Allasso and Company (e.g., employment termination, or contract termination), the asset shall be returned to Allasso or remotely wiped in accordance with the departure terms. Upon termination of a contract with a Third Party, Allasso shall return or dispose of the data associated with that Third Party customer, in accordance with the terms of the contract with the Third Party.
Users are responsible for safeguarding any Removable Media they use and ensuring that it is stored securely when not in use. If removable media, such as removable hard drives, CDs, DVDs, USB drives, or SD cards, is employed for Allasso information storage, the asset owner takes appropriate measures to protect the content on the media from unauthorized access, misuse, and data corruption. Any physical technology assets provided by Allasso to employees, contractors, consultants, or other parties, shall be properly controlled and protected, with reasonable care provided to avoid loss, theft, or damage. In particular, the party to whom the assets are provided shall not take any actions which may contribute to asset failure, shall not connect, or use accessories or peripherals not supplied or supported by Allasso, and shall not use any technology asset services not authorized by the Allasso to manage or access the asset. Confidential and privacy-sensitive information stored on removeable media such as USB drives is encrypted.
Media containing information is protected against unauthorized access, misuse, or corruption during transportation beyond the organization’s physical boundaries. Physical Media is disposed of securely when no longer required, using formal procedures. Media containing information shall be protected against unauthorized access, misuse, or corruption during transportation.
Policies are established to ensure employees and contractors understand their responsibilities.
Part of our recruitment process is conducting relevant pre-employment background checks on those individuals to whom we extend an offer of employment. All offers (including temporary hires and interns) are contingent upon successful completion of a background check, the scope of which may vary based on the candidate’s role and job location (in accordance with local regulations). Part of our recruitment process is conducting relevant pre-employment background checks on those individuals to whom we extend an offer of employment. All offers (including temporary hires and interns) are contingent upon successful completion of a background check, the scope of which may vary based on the candidate’s role and job location (in accordance with local regulations).
The terms and conditions of employment, signed by Allasso employees and third parties, include their respective responsibilities for information security and related obligations, both during and after employment. All employees and third parties who are given access to confidential information sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities; and, employees and third-party employees processing, storing, or handling Allasso Information Assets, including customer or Allasso PII, are liable for any unauthorized disclosure, modification and/or destruction of information. All users have received appropriate training before being given access to Allasso’s computing and network assets, including personal data.
Management ensures that all employees and third parties apply information security in accordance with the organization's established policies and procedures. All employees and third parties are properly briefed about their roles and responsibilities regarding information security and the acceptable usage of Allasso information assets and processing facilities.
Allasso has implemented a training program that encompasses a range of initiatives. These include new hire training for all employees, global phishing exercises to enhance awareness of phishing threats, real-time advisories and updates based on ongoing security incidents, along with regular updates on organizational policies, procedures, and breaches to equip our workforce with the knowledge and skills necessary to safeguard client data.
The access rights of the users to information assets shall be revoked within twenty-four hours of separation of their employment, contract, or agreement. Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor, and enforced.
Allasso's information hosting facilities, co-located at third-party data centers, have robust physical security measures and adherence to globally recognized standards, including ISO 27001/2 and SSAE-16 / SOC-2. To ensure the continued security and compliance of these facilities
Changes to any Allasso (including applications, servers, systems software, and security architecture and network devices) are controlled to ensure that the risks associated with such changes are managed to an acceptable level. Changes are properly developed, tested, approved, and implemented.
Anti-Malware tools, associated procedures, and other relevant controls like user awareness shall be implemented to detect, prevent, and recover against malware efficiently. Anti-Virus software and associated signature files are kept up to date. Controls are implemented to prevent malware files from being introduced into the infrastructure from internal networks and external networks, such as the Internet.
All relevant application and operating systems software, data (including databases), applications and operating systems configuration information, hardware, and software configuration information (where applicable) are identified, documented, and periodically backed up.
Allasso uses threat and vulnerability intelligence to assess the impact on Allasso systems. All systems within the Allasso network went through a complete vulnerability assessment. Additionally, third party penetration testing is conducted annually. All systems are also scanned for vulnerabilities prior to being placed into production. Timelines are defined for responding to identified/reported technical vulnerabilities. If the vulnerability cannot be addressed, controls shall be considered to reduce the impact of risk. After applying the patch/solution for any vulnerabilities, a check or rescan is performed to ensure that the vulnerability has been closed.
Security Vulnerability and Patch Management are essential for maintaining the integrity of the Allasso network as well as safeguarding client data. Unpatched systems represent a significant potential target of attack for those who may wish to steal sensitive data or cause network disruptions. Patch management is a continuous process and vulnerabilities are constantly evolving are addressed continually.
Security monitoring tools and services are leveraged to help identify known threats and vulnerabilities, which are mitigated and remediated as necessary, using a risk-based approach. Systems are monitored by multiple tools to ensure that they are meeting integrity, performance, and availability standards. Processes also exist to alert appropriate staff if boundary thresholds are passed or if other events may warrant review or action. Where appropriate, our cybersecurity incident response process is triggered.
All new user accounts require a unique ID (e.g., user account IDs cannot be reused or reissued). New user accounts and passwords are issued to users in a secure manner. Privileged Access requests beyond those granted as part of a user’s job function are verified and approved by the requestor’s manager Staff with privileged accounts have a separate, non-privileged account for performing normal business functions unless compensating controls are in place to monitor the privileged accounts. Employment termination or change of shall trigger relevant processes for revoking or amending access rights. The use of personal email accounts or non-approved information technology resources for business-related activities is
We have established a formal and documented procedure for user registration and de-registration to manage access to all infrastructure components and software. This process ensures the controlled granting and revoking of access rights
All passwords in use at Allasso adhere to the current security practices. Inactive sessions (Application sessions, VPN sessions, Administration Sessions, etc.) are disconnected after a defined period of inactivity. Administrator accounts are subject to a more stringent password policy and MFA guidelines in comparison to standard end-user accounts. Applications shall be integrated to enable single sign on (SSO), wherever possible and automate provisioning and de-provisioning on user access. Remote or VPN access to Allasso critical systems shall be provisioned via Multi-Factor Authentication (MFA)
Firewalls, web content filters and network IDP solutions are essential components in protecting data and services from unauthorized activity moving from a boundary of greater privilege to a boundary of lesser privilege. As such, their placement and configuration require thoughtful activity.
All on-premise firewalls deployed in the organizations conform to Allasso standards and are under central management to ensure consistent deployment and updates.
Rules for developing software and systems are established and applied to developments within the organization. Development, testing, and operational environments are separated to reduce the risks of unauthorized access or changes to the operational environment. The code is reviewed by multiple individuals and put through automated processes to minimize risk of security incidents within the development lifecycle.
Development, testing (pre-production), and operational (production) environments are kept isolated. The isolation may be physical (different hosts) or logical (different partitions on the same host). Access to the development environment is restricted on need to know basis. Changes to production systems are made only after such changes have been tested in a testing environment prior to application. Personal Identifiable Data will be moved into the testing environment only with due approval from the CISO and based on the request of the customer for legitimate business or technical reasons. Dedicated test data is generated and employed for testing purposes. As a general rule, personal Identifiable Information (PII) is strictly prohibited from being used for testing, and synthetic or fictitious PII shall be employed instead.
Allasso applies encryption when practical to all communications and data at rest. Encryption is an essential tool in protecting the integrity and security of our clients’ information as well as Allasso’s intellectual property. Following the practice of defense-in-depth, we have encryption implemented at many points throughout the organization and our processes. These standards apply to all cryptographic mechanisms used to protect the confidentiality, authenticity, and integrity of Allasso and client data as required by the Allasso Information Security Policy.
Data must be protected when in transit (e.g., being transmitted from one location to another over a network) and at rest (e.g., when data is being stored such as in a database or the cloud). Removable media must be encrypted using approved cryptographic algorithms (e.g., Advanced Encryption Standard (AES 256-bit)).
Proper management of cryptographic keys is essential to the effective use of cryptography for security. Secret and private keys require protection against unauthorized disclosure, and all keys require protection against modification. Key management provides the foundation for the secure generation, storage, distribution, use, and destruction of keys.
Allasso has a business interest in protecting its assets and information and is legally required to protect the data, including personal data/personally identifiable data it holds. An information security incident could have significant operational, reputational, financial, and legal consequences for Allasso, and may impact trust in the organization. A rapid and comprehensive response to critical incidents that threaten the confidentiality, integrity, and availability of Allasso’s information assets is required to protect those assets effectively. The Information Security Incident Management (SIM) standard will provide the basis for the appropriate response to incidents that threaten the confidentiality, integrity, and availability of Allasso’s information assets, information systems, and the networks that deliver the information. The SIM Standard underlies the establishment and ongoing deployment of critical incident response teams, formed with the purpose of managing incidents.
Organization-wide information security processes include information security requirements to help ensure that the confidentiality, integrity, and availability of critical information assets are preserved even in the event of a business disruption or disaster. Allasso has contingency plans to handle disruptions to our operations and services. The infrastructure can be monitored and managed remotely. Allasso infrastructure is designed to support a fully mobile workforce that requires remote connectivity to Allasso resources and remote support capabilities for customers.
Company business data is protected through the provision of data backup services appropriate to the nature and importance of the business data, as required to meet agreed business recovery objectives, and to ensure the integrity and availability of business data.
Allasso has implemented and will maintain a comprehensive set of formal policies, controls, and practices to comply with personal data processing in accordance with Applicable Data Protection Laws. This includes: